 |
| Main Menu | News By Date | News By Supplier | News By Category | About Us |
|
GAO MISDIAGNOSED RFID
The GAO report discusses privacy and security aspects of RFID transponders used to support inventory control and contactless smartcard applications. The GAO calls attention to a primary ailment, RFID data security. But understated in the GAO assessment are: the overall health of market; the RFID value proposition; and the progress the industry has made in addressing performance, standards, and cost reduction. The GAO report is flawed and provides a relatively unfavorable, potentially damaging view of RFID. The report cites several security-related issues that RFID can present such as tracking individual movements, preferences, confidential personal information, etc. The report also suggests that interest from government officials in RFID is increasing, especially as costs fall and application uses expand. To compile the report the GAO focused on responses received from a variety of government agencies, 24 in total, including, the departments of State, Energy, Homeland Security, Labor, and others. On the whole, it is difficult to disagree with the GAO report's basic diagnosis: RFID must provide enhanced physical and logical security and be backed by harmonized standards that ensure interoperability and safe communication. Critics say RFID could reduce or eliminate purchasing anonymity and could even threaten civil liberties. The issue becomes even more acute in plans to deploy RFID-enabled identification, payment, and loyalty cards. Privacy advocates are concerned that information stored on tags could be read 'by anyone with an RFID reader', data thieves, hackers, or worse. Right now, this isn't much of a threat; but as RFID becomes more widely adopted, the pressure to address the security issue is sharply increasing. It is a daunting challenge that touches all links in the RFID value chain from RFID ICs to the system infrastructure, including the Internet. No one has complained of a security breach related to an RFID deployment, yet. Like the GAO, businesses and vendors alike acknowledge that security remains a question mark. For now, security has taken a backseat to the focus on improved performance, bottom-line results, and returns on investment for RFID. However, with a technology as ubiquitous as RFID will be, admittedly there is great potential for damage. To be fair, RFID data security is an extraordinarily difficult problem to solve. There is no panacea. Not only is it extremely challenging to build any kind of cryptosystem into an RFID chip that is small and weak, but also the system itself would remain utterly defenseless against electrical deception. Manipulating an IC power source is one of the definitive ways of culling its cryptographic secrets, in fact, satellite TV hackers have employed this method over the last few years. In addition, most passive tags supporting EPCglobal standards are write-once, but RFID tags that support other standards, such as ISO, provide multiple write-to capabilities; and, the market will soon be flooded with EPCglobal UHF generation 2 protocol RFID tags that also support multiple-write features. Because they are not write-protected, passive tags can be changed or written to up to a couple of thousand times. However, the Gen2 protocol will provide enhanced security features for passive tags. The standard provides password protection as well as the ability to encrypt the data being sent from the tag to the reader, rather than having encryption on the tag itself. Further, there is a lack of support for point-to-point encryption (which is available using existing standards such as ISO 14443/DESFire) and a PKI key exchange contributes to tag vulnerability. However, a number of security measures - including ISO standard 15693 for data authentication, are already used in payment and security/access applications and could play a role in RFID security. Part of the problem with adopting existing standards, at least at one level, may be the extremely low cost and therefore extremely light functionality on the tags. Encryption on a tag, for instance, would chew up too much of a tag's processing power, as well as add extra cost to tags that need to be lightweight and inexpensive to keep costs in line. The good news is that the industry is paying more attention to the security issue. RFID technology can help maintain the balance between those concerned about business efficiency and those concerned about data integrity and privacy. However, the level of security and privacy needs to grow in proportion with deployment. The exclusion, either by definition or methods of reporting, of critical, large-scale federal RFID deployments makes the GAO security argument a tough pill to swallow. Two glaring omissions are discussions of the Department of Defense's use of RFID and the General Services Administration's planned deployment of ISO 14443 contactless smartcards. The DoD, which touts the world's largest supply chain and is a leading early adopter of RFID, was not issued a survey because the GAO collects relevant data through other ongoing work. And, ISO 14443-based cards were not covered because they are not considered RFID technology under the GAO report. However, ISO 14443 cards are widely used throughout federal agencies to support security/access control and employee identification. These two omissions give examples of areas where RFID provides demonstrable ROIs, offers solid value propositions, and yields benefits. In essence, the GAO report was handicapped from the start. Congress requested an in-depth analysis of the use of RFID across federal agencies, but notable pieces of the puzzle are missing. Regardless of what the GAO report may lead one to believe, it must be stated that the RFID market is healthy. According to VDC research, the industry reached nearly $1.8 billion last year. This dollar figure provides evidence that the RFID market is quite healthy and lucrative. And, RFID continues to make inroads into traditional and new application arenas, especially as costs decline, technology improves, and standards codify. Security issues aside, the RFID industry has made much progress, and that must not be understated. For example, technology performance, particularly for EPC UHF solutions, is increasing with each new product release and installation. Read accuracy rates are higher; read ranges are longer; and, transmission times are faster. In addition, users are stepping up their efforts in determining the value proposition for RFID based on how it impacts their business operations. The cost of RFID is becoming more easily justified as users realize the benefits RFID can have on an enterprise. By concentrating on the key areas of weakness (security) and failing to highlight RFID's successes, the GAO has done a disservice to the industry. The GAO report is primarily flawed because it omits discussions of RFID and federal policies for credentialing programs. It fails to provide a crisp, clear, and comprehensive analysis of the strengths, weaknesses, opportunities, and threats for RFID in federal government.
|
| ©2009 Industrial Networking and Open Control |